This example was developed between two Linux machines running stunnel version 4.04-4 on a Red Hat Enterprise 3.0 system.įirst, you must know that with the standard Bacula configuration, the Director will contact the File daemon on port 9102. Although the details may be slightly different, the same principles apply whether you are encrypting between Unix, Linux, or Win32 machines. We assume the Director and the Storage daemon are running on one machine that will be called server and the Client or File daemon is running on a different machine called client.
This chapter will show you how to use stunnel to encrypt communications to your client programs. Without too much effort, it is possible to encrypt the communications between any of the daemons.
Please see the TLSCommEncryptionmainchapter of the Bacula Enterprise Main Manual if you are using Bacula 1.37 or greater. Prior to version 1.37, Bacula did not have built-in communications encryption.
A simple configuration for a single server with a single client that are using a pre shared secret is:Ĭlient:/etc/stunnel/nf BOM composed of non printable characters. When such transfer is acceptable, pre shared key is the fastest method.
A pre shared secret has to be transferred to all involved machines a priory by other means, such as SCP and SFTP. Either a pre shared secret, or a key and certificate pair, can be used for authentication. Which is why you might want to verify that they are still there after editing is completed with the above od, or similar, command.Īt least one of the client and the server, and optionally both, should be authenticated. Note that when printing the file to the screen, such as with cat, or when editing the file with a text editor, the BOM bytes are usually not displayed. % od -address-radix=n -format=x1c -read-bytes=8 /etc/stunnel/nf To test if those bytes appear, one can use It is here, before the semicolon!' > /etc/stunnel/nf # echo -e '\x ef\x bb\x bf BOM composed of non printable characters. Creating a file with these bytes at its beginning can be done by Its UTF-8 representation is the (hexadecimal) byte sequence 0圎F, 0xBB, 0xBF. The configuration file should have a UTF-8 byte order mark (BOM), at the beginning of the file. The configuration tokens setuid and setgid are available for this purpose. After verifying correct operation, it is worth explicitly setting lower value in the configuration file.įor better security, it is advised to explicitly set an appropriate uid and gid, other then root, for the global section and the per service sections. The default debug value is 5, which is very verbose. It then connects to where the data should be sent to. The stunnel server accepts TLS encrypted data and extracts it. Stunnel will TLS encrypts its data and connects to the stunnel server. It is composed from a global section, followed by one, or more, service sections.Ī client is one to accept non TLS encrypted data. The main configuration file is read from /etc/stunnel/nf. In order for the stunnel to start up automatically at system boot you must enable it.
Install stunnel from official repositories.ĭepending on your usage, you might also Systemd#Editing provided units to better Systemd#Handling dependencies.